[Security-announce] pfSense-SA-17_01.webgui
21 February, 2017 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-17_01.webgui Security Advisory pfSense Topic: Multiple Captive Portal XSS vulnerabilities in the WebGUI Category: pfSense Base System Module: webgui Announced: 2016-12-17 Credits: yanncam via Github https://github.com/pfsense/pfsense/pull/3288 Affects: pfSense software version <= 2.3.2_1 Corrected: 2016-12-18 04:01:33 UTC (pfSense/master, pfSense 2.4) 2016-12-18 04:08:05 UTC (pfSense/RELENG_2_3, pfSense 2.3.x) 2016-12-18 04:08:20 UTC (pfSense/RELENG_2_3_2, pfSense 2.3.2_x) 0. Revision History v1.2 2017-02-10 Updated release information, changed SA ID v1.1 2016-12-18 Initial SA draft v1.0 2016-12-17 Initial public report I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Multiple Cross-Site Scripting (XSS) vulnerabilities were found in the Captive Portal area of the pfSense software WebGUI on version 2.3.2_1 and earlier. List of parameters vulnerable to reflected XSS: * status_captiveportal.php: "order", "zone" * status_captiveportal_expire.php: "zone" * status_captiveportal_test.php: "zone" * status_captiveportal_voucher_rolls.php: "zone" * status_captiveportal_vouchers.php: "zone" III. Impact Due to the lack of proper encoding on the affected variables and pages succeptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround To mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Upgrade to version 2.3.3 of the pfSense software, or a later version. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master ac90c9012453c7e81ff0d0b472a55b116866c56e e12b438b9c19e9dc3009344c487bd2bf72adb831 pfSense/RELENG_2_3 c31fb7b0fa074e0ec2924b860f3c6cfb32b2d391 a6a158e91eb64393e2a9cc9d0877fcfae03390a1 pfSense/RELENG_2_3_2 1992d9f946e7a14667ee95362a85c1e4a473da16 - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-17_01.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYnd2CAAoJEBO5h/2SFPjaOeUP/1oZnZ4oYdaU2kH2AzcWsFaP yQ9DafvC2eDWB2RrPEHVP2wrghw5+Y/FaJs1BpvY9jIbY0PSRLcnJ/88BI2mg54I Ee1oenrGHIXC4ZoE8jtkAyWtfpcx/GwU2CatVZ2YnBj8ysVlVyPUm4XzOCqWyP4t VW+imUHuBtK+OhA358a/0l2qYx9NXhOGJ3Dh+Ps4zm/tMBQanz7z/DH8bd+dbC9n lySLR7dcSmi30brgbKwUMhSnTOf1Jyo4hD9rchtfVIGFbYborzKvqj92BpUKf1sO i79bOb/y96+NZ4yBgZO4NOp0fJa0NzPWOU66iIJmBt4xLet/J+eEeiz7qrRMq42s V7SpGzXeeejrzqBQimhgliLytKWpHtNnwbY/GDv/JOiLTvOaXdkj14m+agMFXOxc T5+7g5YpiiGajOHOb+wjLzfqWC9MPWx9+dRubklzBbpWtE2KY0JTQnKy+H79Upal 6hnXap+C1FF3Vd9Q6LIYNtU7RPHycNq5/y/C8cBE+k6+/50UbmXaAueSSpAM4J1+ Q3MDQjzFPmLGMrgYczqyT3HjSaHqKtoa0dH4dkcz92OWwyK5rK3hG/cq12BXaQIQ EGuFCHFbovfsSalY71Nm5jyfRCkFAWSucML2kc21xeup8OKJn1y2+Y/ielZ50G/T aBthP+0/VHovmt4HBTFr =F/b6 -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce